Cybersecurity Maturity Model Certification (CMMC)

If your company is currently working with or wants to work within the DoD area than you may want to follow along. The Department of Defense (DoD) announced on January 31, 2020 that the Cybersecurity Maturity Model Certification (CMMC) v1.0 has been released. Access the Department is releasing CMMC Model v1.0 and the associated overview briefings here:

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.

The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.

The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.

The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

What is CMMC?

It is estimated that close to $600 billion is lost to cybersecurity crimes globally each year. A large portion of these crimes involve intellectual property (IP) theft which is directly attributable to weak cybersecurity program maturity and a lack of suitable controls amongst organizations.

Within the US Department of Defense, the sharing of Federal Contract Information (FCI) and Confidential Unclassified Information (CUI) throughout the Defense Industrial Base (DIB) greatly expands the cybersecurity risk for the DoD. As such, the CMMC Program will help assess and enhance the cybersecurity posture of the Defense Industrial Base by outlining best practices and controls distilled from numerous cybersecurity standards into one simplified framework defining maturity levels ranging from basic cyber hygiene to highly advanced practices.

The CMMC is a certification procedure developed by the Department of Defense (DoD) to certify contractors have the controls to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI).  The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one cohesive standard for cybersecurity.  The Domains have seventeen (17) sections listed below:

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Security
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. Systems and Communications Protection
  17. System and Information Integrity

The CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component. Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.

An organization’s CMMC journey will culminate with CMMC certification to one of five levels. CMMC will be rolled out in new DoD contracts within the coming years, beginning in late 2020 with several new DoD RFP’s affecting upwards of 1,500 organizations requiring CMMC certification. CMMC certification will be required prior to contract award, and prime contractors will be required to flow down CMMC requirements throughout their supply chain.

DoD plans to continue the several-year roll-out, with CMMC certification becoming a de facto requirement for all new contract awards. Many primes have already begun reaching out to their supply chain to raise the awareness of this fast-coming requirement.

CMMC Certification will be provided by independent audit bodies such as NQA starting in mid-2020. NQA has been an active participant in the development of the CMMC Program and stands well-positioned to provide CMMC audits as soon as certification is available; NQA will be sharing much information about the CMMC Program in the coming months.

Proactive organizations can request gap assessments to CMMC from QSG now and potentially get ahead of the curve.

QSG has formed partnerships with CyberSaint and other providers to support you!


What Now?

It is time to prepare for the changes to come. Take some time and read through the CMMC model accessed through the link below.

So, how can we obtain the CMMC for our organization?

As stated, there is no self-certification.  Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.  Once your certification has been obtained, the level will be made public, however, details regarding specific findings will not be publicly available. The DoD will only see your certification level.

You will have many questions and probably some concerns such as;

  • How will this affect my business?
  • Will my current DOD awarded contracts be in jeopardy if I am not compliant?
  • How much will this cost?
  • Who can help me with my third-party audits?
  • How do I implement this standard?

Always Keep Improving!